Operator being rewritten - rlm_python
Hi Guys, Trying to get rlm_python going on 3.0.13 on Centos 7. Got everything working correctly although I am finding that the reply tuple does not appear to be accepting my operator +=. See debug below: authorize - 'reply:Framed-IP-Address' = '192.0.2.0' authorize - 'reply:Cisco-AVPair' += 'ip:dns-servers=192.0.2.255 192.0.2.254' authorize - 'reply:Cisco-AVPair' += 'ip:outacl#10=deny udp any any eq domain' authorize - 'reply:Cisco-AVPair' += 'ip:outacl#20=deny udp any any eq snmp' authorize - 'reply:Cisco-AVPair' += 'ip:outacl#30=deny udp any any eq 1900' authorize - 'reply:Cisco-AVPair' += 'ip:outacl#40=deny tcp any any eq 80' authorize - 'reply:Cisco-AVPair' += 'ip:outacl#50=deny udp any any eq 80' authorize - 'reply:Cisco-AVPair' += 'ip:outacl#60=deny tcp any any eq 443' authorize - 'reply:Cisco-AVPair' += 'ip:outacl#70=deny udp any any eq 443' authorize - 'reply:Cisco-AVPair' += 'ip:outacl#80=permit ip any any' authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#10=deny udp any any eq domain' authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#20=deny udp any any eq snmp' authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#30=deny udp any any eq 1900' authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#40=deny tcp any any eq 80' authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#50=deny udp any any eq 80' authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#60=deny tcp any any eq 443' authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#70=deny udp any any eq 443' authorize - 'reply:Cisco-AVPair' += 'ipv6:outacl#80=permit ipv6 any any' authorize - 'config:Cleartext-Password' = 'test' (0) [python] = ok (0) } # authorize = ok (0) Found Auth-Type = CHAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type CHAP { (0) chap: Comparing with "known good" Cleartext-Password (0) chap: CHAP user "test@domain.com" authenticated successfully (0) [chap] = ok (0) } # Auth-Type CHAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Login OK: [test@domain.com] (from client localhost port 0) (0) Sent Access-Accept Id 121 from 127.0.0.1:1812 to 127.0.0.1:54848 length 0 (0) Framed-IP-Address = 192.0.2.0 (0) Cisco-AVPair = "ip:dns-servers=192.0.2.255 192.0.2.254" (0) Cisco-AVPair = "ip:outacl#10=deny udp any any eq domain" (0) Cisco-AVPair = "ip:outacl#20=deny udp any any eq snmp" (0) Cisco-AVPair = "ip:outacl#30=deny udp any any eq 1900" (0) Cisco-AVPair = "ip:outacl#40=deny tcp any any eq 80" (0) Cisco-AVPair = "ip:outacl#50=deny udp any any eq 80" (0) Cisco-AVPair = "ip:outacl#60=deny tcp any any eq 443" (0) Cisco-AVPair = "ip:outacl#70=deny udp any any eq 443" (0) Cisco-AVPair = "ip:outacl#80=permit ip any any" (0) Cisco-AVPair = "ipv6:outacl#10=deny udp any any eq domain" (0) Cisco-AVPair = "ipv6:outacl#20=deny udp any any eq snmp" (0) Cisco-AVPair = "ipv6:outacl#30=deny udp any any eq 1900" (0) Cisco-AVPair = "ipv6:outacl#40=deny tcp any any eq 80" (0) Cisco-AVPair = "ipv6:outacl#50=deny udp any any eq 80" (0) Cisco-AVPair = "ipv6:outacl#60=deny tcp any any eq 443" (0) Cisco-AVPair = "ipv6:outacl#70=deny udp any any eq 443" (0) Cisco-AVPair = "ipv6:outacl#80=permit ipv6 any any" Note in the authorize reply output provided by rlm_python shows the op as +=, but the op in the access accept show =. I note that in the source there is a sanity check to verify the operator passed to rlm_python, but I'm not seeing any logs even in -XX showing that its being rewritten as per the source. Any ideas? Thanks, Fraser
On Nov 20, 2017, at 3:51 AM, Fraser McGlinn <fraser@frizianz.com> wrote:
Note in the authorize reply output provided by rlm_python shows the op as +=, but the op in the access accept show =.
It's fine. RADIUS packets don't contain an operator. The operator matters only when attributes are being added or deleted to a list. When the attributes are finally *in* the list, the operators are all "=". And why would this be a bad thing? Is the server sending back the attributes you need? If so, it's fine. Alan DeKok.
Thanks mate, didn't actually know this one. It makes a bit more sense now. Appreciate the guidance. Cheers, Fraser -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+fraser=frizianz.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, November 20, 2017 11:26 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Operator being rewritten - rlm_python On Nov 20, 2017, at 3:51 AM, Fraser McGlinn <fraser@frizianz.com> wrote:
Note in the authorize reply output provided by rlm_python shows the op as +=, but the op in the access accept show =.
It's fine. RADIUS packets don't contain an operator. The operator matters only when attributes are being added or deleted to a list. When the attributes are finally *in* the list, the operators are all "=". And why would this be a bad thing? Is the server sending back the attributes you need? If so, it's fine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Fraser McGlinn